| |
|
RSS Feed - WebSphere MQ Support
|
RSS Feed - Message Broker Support
|
  |
|
| More Questions about Remote Admin |
« View previous topic :: View next topic » |
| Author |
Message
|
| justcurious |
 Posted: Sat Jun 15, 2002 12:38 pm Post subject: More Questions about Remote Admin |
 |
|
Newbie
Joined: 15 Jun 2002
Posts: 3
|
I am having trouble authenticating when trying to connect to a queue manager with mmc.
We are running MQSeries 5.0 on an NT4 member server.
I am running MQSeries 5.1 on my local NT4 workstation.
On the server, I have performed the following steps:
1) define channel(SYSTEM.ADMIN.SVRCONN) trptype(TCP) chltype(SVRCONN) descr('Remote Administration') mcauser('mqm')
2) strmqcsv QUEUE_MANAGER_NAME
3) added my domain login account to the local mqm group
When I try to connect to the queue manager from my local machine, I receive an authentication error:
"Access not authorized. You are not authorized to perform this operation. (AMQ4036)"
When I re-define the SVRCONN channel without the mcauser parameter, I have no problem connecting.
I have read other threads regarding this issue on this and other forums, but I have seen none that relate to a setup that mirrors mine ( IE: NT4 and v5.0 ).
Q1: Am I missing something?
Q2: Without the mcauser parameter, am I running with no security?
Q3: Do I need to upgrade MQ on the server to a newer version?
Any help will be appreciated.  |
|
| Back to top |
|
 |
| mrlinux |
| Posted: Sun Jun 16, 2002 10:13 am Post subject: |
|
|
Grand Master
Joined: 14 Feb 2002
Posts: 1261
Location: Detroit,MI USA
|
Well the mcauser should not be mqm, that works for unix systems which support haveing both user and groups having the same name.
The user is mqusr_admin I think , look under your usrmgr for somethine like that and make that the mcauser,. You should be able to leave it blank with all the other secuirty changes you made
_________________
Jeff
IBM Certified Developer MQSeries
IBM Certified Specialist MQSeries
IBM Certified Solutions Expert MQSeries |
|
| Back to top |
|
|
| justcurious |
| Posted: Sun Jun 16, 2002 3:49 pm Post subject: |
|
|
Newbie
Joined: 15 Jun 2002
Posts: 3
|
Thanks for the response, Jeff. You helped turn my thinking in a new direction. Even after disabling my test login account and removing it from all groups, I was still able to authenticate. That had me thinking that MQ was accepting annonymous connections.
It turns out that MQ itself was accepting the authentication because the test account was used to define some of the queues and the SVRCONN channel. I found the test account name peppered throughout several files in the queue manager's AUTH folder. Once I removed that account from those files, things started to happen.
Thanks again. |
|
| Back to top |
|
|
| Tibor |
| Posted: Sun Jun 16, 2002 10:12 pm Post subject: |
|
|
Grand Master
Joined: 20 May 2001
Posts: 1033
Location: Hungary
|
| mrlinux wrote: |
| ...The user is mqusr_admin I think , look under your usrmgr for somethine like that and make that the mcauser |
MQ admin user on Win32 platform is MUSR_MQADMIN. |
|
| Back to top |
|
|
| cvshiva |
| Posted: Thu Jun 20, 2002 5:51 am Post subject: |
|
|
Apprentice
Joined: 04 Mar 2002
Posts: 35
Location: Chennai
|
Guys,
As of my experience., it is not ideal to set the mcauser attribute to "MUSR_MQADMIN" / "mqm" in Windows NT,2K / Unix platforms.
It poses a security risk , as anyone having access to your office network can connect to your Queue manager and hit it for a sixer by screwing up things.
Its always better to authenticate using the OS base User ID and groups..
so that u know who is connecting to MQ always..
Its a good idea to even group Administrators and Application Users in two different groups..
Admins can be a part of default "mqm" group and a new group can be created for applicaitons users and can be called "mquser" ..
Rights on Queue Manager and its objects like queues and process defs can be granted to the "mquser" group so that they can perform only application oriented tasks.. Admin rights can be curbed from these users this way..
But you should always remember to grant rights whenever you create a new queue / process def.. If not the members of "mquser" group can't open this object..
Rights on Queue Manager and its objects can be controlled using the Object Authority Manager "OAM" ( provided as a default Security installable service with MQ).. Info can be found in System Admin manual under Protecting MQ Objects section
Regards,
_________________
Ramnath Shiva
IBM Certified SOA Specialist
IBM Certified MQSeries Specialist
Standard Scope International Pvt Ltd , Chennai |
|
| Back to top |
|
|
| justcurious |
| Posted: Sat Jun 22, 2002 8:10 am Post subject: |
|
|
Newbie
Joined: 15 Jun 2002
Posts: 3
|
Thaks for all of your responses. My problem was not in actually authenticating, but in proving to myself that my authentication was secure.
I have done that now |
|
| Back to top |
|
|
|
|
|
| |
|
Page 1 of 1 |
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
|
|
